cli-tools
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Privilege Escalation (HIGH): The skill explicitly instructs the agent to use
sudo apt installandsudo apt update. Granting an AI agent the ability to execute commands with root/administrative privileges is a high-risk configuration that can lead to full system compromise. - External Downloads & Unverifiable Dependencies (MEDIUM): The skill facilitates the installation of packages from various third-party registries (Homebrew, APT, npm, Composer). While these registries are generally trusted, the skill allows for the installation of arbitrary packages which could include malicious or typosquatted dependencies.
- Dynamic Execution (MEDIUM): The 'Auto-Install Workflow' describes a process where the agent parses error messages to determine which package to install and then automatically retries the command. This creates a feedback loop where untrusted input (an error message) can trigger the execution of installation and subsequent binary execution commands.
- Indirect Prompt Injection (LOW): The skill is vulnerable to indirect injection via the 'Auto-Install Workflow'. If an attacker can cause a specific 'command not found' error message to appear in the agent's context (e.g., by placing it in a README or log file the agent reads), they could potentially trick the agent into installing and executing a malicious package.
- Ingestion points: System error messages and CLI output processed by the agent.
- Boundary markers: None present; the agent is instructed to extract tool names directly from the raw error strings.
- Capability inventory: Execution of shell commands via
brew,apt,npm, andcomposer, includingsudousage. - Sanitization: No sanitization or validation of the 'extracted' tool name is described before it is passed to a package manager.
Recommendations
- AI detected serious security threats
Audit Metadata